Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

SonnyJim writes "I frequently use Tor for my anonymous browsing needs, via the Tor Firefox bundle for Windows. I noticed that there are many other applications out there that use Tor as a proxy as well (Janus VM, ChrisPC, etc.) Are any of them more secure than the original Tor bundles, or am I just wasting my time trying these other applications? Is there anything more secure than Tor, as far as anonymous browsing goes?"

I personally find it funny when people use Tor and then leave behind the same cookies, the same user-agent, LSO and Flash cookies, same system configuration, same screen size, same fonts, same installation and versions of plugins, same MAC address, don't change DNS servers and countless amount of other things that make it very easy to identify your other activity or what you're doing. Especially to Google via Google Analytics.

Nevermind also that half of the TOR network end nodes are monitored and sniff your traffic and can modify your browsing session in various ways. Just imagine the fun when you happen to use an end node that serves you a drive-by download exploit instead of the page you requested.

I personally find it funny when people use Tor and then leave behind the same cookies, the same user-agent, LSO and Flash cookies, same system configuration, same screen size, same fonts, same installation and versions of plugins, same MAC address, don't change DNS servers and countless amount of other things that make it very easy to identify your other activity or what you're doing. Especially to Google via Google Analytics.

Nevermind also that half of the TOR network end nodes are monitored and sniff your traffic and can modify your browsing session in various ways. Just imagine the fun when you happen to use an end node that serves you a drive-by download exploit instead of the page you requested.

You have some good points, though some of those concerns are easily addressed in your privoxy config. I use tor regularly BTW, and am impressed with its performance compared to a few years ago. I don't drink the kool-aid, but between privoxy and tor you can certainly avoid being tracked by all but the most devoted bad guys. However, if someone competent is targeting you specifically you're screwed no matter what you use, unless you're an uberhacker with access to some heavy hardware.

I don't drink the kool-aid, but between privoxy and tor you can certainly avoid being tracked by all but the most devoted bad guys. However, if someone competent is targeting you specifically you're screwed no matter what you use, unless you're an uberhacker with access to some heavy hardware.

Didn't you know? Is "the good guys" doing the most tracking these days.

Sounds like you're confused. There are no "good guys" trying to track me, only pragmatic reasons I might chose to allow some limited tracking for some limited time (like for street navigation). The "bad guys" are by definition whomever is trying to track you.

Might, perhaps, have been best to leave out the adjective "bad", which implies the existence of "good" and so leads those of us who are foolish enough to take someone literally into hypothesizing the existence of an anode in their cathode-only universe.

Might, perhaps, have been best to leave out the adjective "bad", which implies the existence of "good" and so leads those of us who are foolish enough to take someone literally into hypothesizing the existence of an anode in their cathode-only universe.

Why would you want to accommodate foolishness and make it more comfortable? It doesn't lead to fewer fools.

Nevermind also that half of the TOR network end nodes are monitored and sniff your traffic and can modify your browsing session in various ways. Just imagine the fun when you happen to use an end node that serves you a drive-by download exploit instead of the page you requested.

At least it will arrive securely and anonymously - and isn't that what it's really all about?;-)

I personally find it funny when people use Tor and then leave behind [...]same MAC address, don't change DNS servers [...]

Proof that you know less about this than you think you do. MAC addresses become irrelevant after the first network layer hop or an application layer gateway like TOR. Also TOR acts as a socks 5 proxy and will resolve names for you, again the the DNS settings are irrelevant.

By using TOR directly your browser may be giving away clues to your identify. By using privoxy some identity stuff may get filtered but instead you may be leaking information by DNS (especially if you are on an untrusted network). Torifying UDP is IMHO a PITA.

By using TOR directly your browser may be giving away clues to your identify. By using privoxy some identity stuff may get filtered but instead you may be leaking information by DNS (especially if you are on an untrusted network). Torifying UDP is IMHO a PITA.

The solution is to configure your browser to not provide such information in the first place, even when you're not using Tor. Those few cookies etc. you may need to use certain sites can be limited to a handful of specific sites and made quite temporary in nature.

I never saw any good reason why HTTP Referrers and user-agent headers were ever included in the HTTP spec in the first place. The first is extraneous information and the second is contrary to a Web based on open standards (and tends to help malic

"I never saw any good reason why HTTP Referrers and user-agent headers were ever included in the HTTP spec in the first place. The first is extraneous information and the second is contrary to a Web based on open standards (and tends to help malicious sites know which exploits to use)."

The referrer is useful for a number of reasons. Beyond the obvious one (statistical information), this is helpful for setting up mechanisms to help prevent people hot-linking to images (or other content) on your site. For peo

The referrer is the wrong way to fix hot-linking. You're attempting to maintain costs by using the user's browser. Instead, you should use your web server. Something like the JPG is only available if the HTML page it is on has been recently requested by the same IP. (I'm basically making a fox guarding the hen house argument.)

And the user-agent header is the wrong way to fix content issues. The best way would be to supply all of the content to the other browser and let the user decide what format they want

Your referrer solution: This solution would overload web servers quickly, as every object request would require a log file parsing. It would also suffer from the problem that the image may be loaded from a different server than the HTML file. Thus, your solution is fraught with difficulty in both efficiency of hardware use as well as implementation. Also, its stupid.

Your user-agent solution: So you're saying that my smart phone, which is on a slower network connection, with a lower usage quota should receiv

As someone who's worked for years as a web developer: Knowing what browser people are using is 100% needed.

Mostly, you use it as a priority list as far as what browser bugs you're fixing, it's not as serious now, but I know there's many web developers waiting for IE6 usage to drop below.1% so they can safely ignore it.

Now, using content headers to "guess" which version of a page to serve up is wrong (you can easily use mobile stylesheets for that) but we're nowhere near that kind of real world application.

To be honest, I have never really understood that mindset. It only comes into play when you wish to flood the page with all sorts of, glamor. And I mean that word in the sense of distracting effects, sounds and movement. It's only needed for making a big show of it, and IMHO, rather few sites benefit from such things. If your business is selling programs for inserting all kinds of special effects, then your page would likely benefit from using such. But if your site is for disseminating information, then al

Your point is well-constructed... but it also shows that you have a bias towards content over presentation.

The fact that it's all one long paragraph, is missing occasional letters, and may have small grammatical errors is absolutely irrelevant to the point that you are making. You used concrete examples and came to a logical conclusion.

But the rest of the world is biased toward presentation over content. It's sad, sure... but it's been that way since the Eternal September [catb.org], and it's not going to change. In f

Once some one has your mac address (assuming they have the real one) they know the manufacturer of your device. From there they can figure out where it was sold and they tie that to a credit card or bank card if you didn't pay cash. If they can tie your mac to some where that you signed up for an account you are also fingered. Every where you go on line no matter how you got there leaves a trail of things that quickly narrow the field of candidates. Your crazy if you think there is anonymity on line.

Once some one has your mac address (assuming they have the real one) they know the manufacturer of your device. From there they can figure out where it was sold and they tie that to a credit card or bank card if you didn't pay cash.

Are you telling me that if I tell you 00:50:ba:* you can identify where I bought my NIC [dlink.com]? And you can tie it to my credit card? You must be a spook in full collusion with D-Link (for the credit card and inventory records), in which case the mac address reveal is probably the l

You're really, really reaching. I would guess that you could actually do this in maybe 1 case out of 10,000. MAC addresses are assigned to the network card manufacturer. They are (often) installed in your computer on a Pacific Island somewhere, and shipped to the United States, where they are then further distributed far and wide.

The odds that anything like your credit card number would be associated with your MAC address, in any place that it could, as a practical matter, be found, is vanishingly small.

That is, unless you register your network cards serial number for warranty, I'm sure manufacturer holds the serial number and mac address tied together on a database somewhere, and now they have your address too. getting your identity from your mac address through purchase history would be all but impossible.

It's a NIC. Do you really think someone who's so concerned about privacy is going to give a crap about the $12/$35 it'll cost to replace an under warranty wired/wireless NIC _if_ it dies?

Besides the fact that MAC addresses are not globally unique, regardless that they should be in theory, and the only thing that can track them is the subnet you actually connect to, which isn't discoverable to the TOR exit node......

This conversation is stupid. MAC addresses are not a privacy issue, unless you're connected

Use TorButton [mozilla.org] then (the Windows bundle includes it IIRC). AFAIK it solves most of the problems you mentioned. If you are using Firefox 4 then you need the alpha version from here [torproject.org].

Add to that BetterPrivacy [mozilla.org], and you should be much harder to track.

Torbutton as an addon is a step backwards from Tor Browser Bundle. It was discontinued for a reason. You're not smarter about Torbutton than the developer of Torbutton, and here's what he says: [torproject.org]

I realized at that same instant that in hindsight, this decision [to use one browser instance/profile for Tor and vanilla browsing] was monumentally stupid, and that I had been working harder, not smarter. However, I thought then that since we had the toggle model built, we might as well keep it: it allowed people to

I personally find it funny when people use Tor and then leave behind the same cookies, the same user-agent, LSO and Flash cookies, same system configuration, same screen size, same fonts, same installation and versions of plugins, same MAC address, don't change DNS servers and countless amount of other things that make it very easy to identify your other activity or what you're doing.

I solved this problem simply by finding out what your user-agent, LSO and Flash cookies, system configuration, screen size, fonts, plugins, MAC address, and default DNS servers were. Now whenever I'm on Tor I pretend to be x*yy*x - so I'm golden.

But mostly you can identify tor-users which are not having all plugins switched off, by a java applet which acts as a beacon* , also if you have switched it off in your Firefox, it get's reactivated by every juscheded update;)

But I also want to point the attention to the lately addedlocal web storage in the current generation of browsers, like Opera and doing a picture search in opera and just check the link of the thumb nail you will be interested So the question is how long will it take till it get's abu

I personally find it funny when people use Tor and then leave behind the same cookies, the same user-agent, LSO and Flash cookies, same system configuration, same screen size, same fonts, same installation and versions of plugins, same MAC address, don't change DNS servers and countless amount of other things that make it very easy to identify your other activity or what you're doing.

If someone is trying to block web browsing by installing a cruddy blocker or whatever, but are not smart enough to block tor connections (think, hotel, restaurant, etc) then tor is a massively overcomplicated proxying solution.

Nevermind also that half of the TOR network end nodes are monitored and sniff your traffic and can modify your browsing session in various ways. Just imagine the fun when you happen to use an end node that serves you a drive-by download exploit instead of the page you requested.

accessing webservices based in https would fix this surely? but if they don't encrypt the exit tor node -> web server then of course it could be caught by a man in the middle attack. even if they get this information however they would be unable to tell where the traffic is coming from up stream of the tor exit node unless there is identifying information in the sent data (like you've entered in your email or some such).

I'm not an expert though so don't take my word for gospel, but AFAIK that's how it

Damn... on your first point, no it's stronger because it includes Polipo and Privoxy, which route DNS requests over Tor...

However, despite me using it religiously for years now, you are correct that it's now been deprecated? Why? I don't have to skills to maintain it, and it's something I am sure lots of people have used as their first step to anonymity... it should be maintained.:-(

Well, you can use several VPN's between. That way the traffic that goes encrypted between you and first VPN won't leave unencrypted there. But yeah, you always have to trust the person or company that keeps it.

Can someone explain to me why someone who is monitoring sufficient backbones and running sufficient Tor nodes himself can't just watch a packet stream being bounced between Tor nodes?

This is one of many known attacks on Tor, and is the reason why as many people as possible should be running Tor relays, entry nodes, and exit nodes. This is also why Tor circuits are periodically changed by the client. In general, though, it is possible for someone who can monitor a large enough fraction of the Tor network to break the anonymity of the system, even if they cannot control the nodes themselves.

I'd thought about running a Tor entry/exit node, but I really don't want to get dinged for someone else looking at kiddie porn and using me as an exit point. The authorities won't know the difference, and might not even care.

I recall a raid in Germany [wordpress.com]. Depending on police behaviour and accessibility of records, in some countries that can be as harmful as a conviction (e.g. if you're working in a job with vulnerable people).

Can someone explain to me why someone who is monitoring sufficient backbones and running sufficient Tor nodes himself can't just watch a packet stream being bounced between Tor nodes?

I've asked the same question about Freenet.

The network depends on users volunteering to route and store high-risk traffic. The files may be in fragments and encrypted. But if your client application, node or supernode is exposed, the consequences may be - unpleasant.

That is not a problem for the three-letter agency, foreign or domestic that can build depth by running tens of thosands of nodes and supernodes, if it chooses.

"The network depends on users volunteering to route and store high-risk traffic. The files may be in fragments and encrypted. But if your client application, node or supernode is exposed, the consequences may be - unpleasant."

If you are in the U.S., these assumptions are quite incorrect, in at least a couple of ways.

You are volunteering to take on anonymous traffic, not "high-risk" traffic. There is a very big difference. In effect, you are serving as a "common carrier", and you enjoy the same legal protections as any ISP. In other words, you are only carrying traffic, you are not looking at it in any way, or even accessing it, much less altering it, yourself. You are only a relay. You have nothing to do with the actual conte

You are volunteering to take on anonymous traffic, not "high-risk" traffic. There is a very big difference. In effect, you are serving as a "common carrier", and you enjoy the same legal protections as any ISP. In other words, you are only carrying traffic, you are not looking at it in any way, or even accessing it, much less altering it, yourself. You are only a relay. You have nothing to do with the actual content, so you cannot be held liable for that content.

That statement is very much open to debate [slashdot.org]. I would further argue that westlake's legal budget is significantly lower than TIme Warner, AOL or Comcast's.

WTF??? Your link leads (at least currently) to an article about Repetitive Stress Injury in Australia. I am really not sure at all what you were trying to link to, but I doubt that is it. Just so there is no misunderstanding, I stated quite clearly that I was referring to the U.S.

But to the best of my knowledge, it is not open to debate. And I would argue further that I was talking about the law, not the distorted way the law has sometimes been enforced. Regardless of your budget, if the law is applied u

I've always thought it would be nice if the russians or nigerians or chinese would just run Tor on their botnets. I know they probably don't really care for freedom of speech or privacy (in fact, they would like to reduce most people's privacy in terms of financial credentials...) but that is the level of distribution necessary to thwart network analysis. Store-and-forward of all anonymized traffic with random delays and random traffic bursts generated to mask legitimate traffic is essentially the only wa

First, don't bet your life on this technology or OpenSSH or other tech.

Second, rather than run TOR on an everyday personal or work computer (Windows or Mac or Linux) with sensitive data and identifiable traits, I'd recommend booting a LiveCD: TAILS (v0.7.1 is the latest) and Liberté Linux:

Change your MAC and connect at a coffee shop (if paranoid-- on the other side of town, and wear sunglasses in case of surveillance), not from home. Or connect to someone else's open WiFi, or get the key with Backtrack. Less secure is running a LiveCD in a VM (virtualbox or vmware). Another less secure option is running a hardened Linux, or at least running the Bastille script.

What am I missing? The main trouble with the LiveCD/DVDs is the NIC driver/module, but Knoppix is good for that.

I should add that in the United States, you cannot be legally forced to give up your encryption passwords, unless law enforcement can already show that your encrypted data contains illegal content. In other words, because of the 5th amendment, the standard is a lot tougher than even probably cause.

I will also add: the methods of making your bootable drive encrypted is actually quite ordinary; there are many means of encrypting bootable drives. The trick is making a USB drive bootable in the first place. From there, you can use the well-known, commonplace methods of encrypting the drives.

I have to wonder who is anonymously modding these posts down... and their motivation for doing so. This seems like a perfectly reasonable discussion of how to make bootable diagnostic utilities for your computer.

I will reply with the same thing I told the other person who asked: google "Backtrack 4" and go from there. There are instructions, but they may need to be modified depending on what version of Linux you are installing.

I understand that what I'm going to ask is almost a logical fallacy in Slashdot, but I'm going to ask anyway.

Why exactly are you making things complicated for yourself and using Tor in the first place? A person as paranoid as you would use only properly secured banking connections and reputable services anyway, so the chance of any identity theft whatsoever is minuscule. I really can't think of any credible motivation for completely endorsing anonymity except the fear of being caught surfing something explicitly illegal. However, the amount of replies in this thread and their tone suggest, that you can't all be 3rd world revolutionists or Chinese students circumventing the Great Firewall.

Is this just a matter of principle, or do you actually have something to hide? If it's the principle, what are you hoping to accomplish and why? If you're into snuff or whatever, I really don't care, but at least one anonymous reply confirming this would be amusing.

This is not a troll. I'm genuinely interested. Technical answers about repercussions I may have not understood, are not only accepted, but appreciated.

From what I gather (remember this info is all secondhand) some people in former first-world countries (USA anyone?) use TOR, Privoxy, livecds, etc. to research the sort of things that might throw up a flag.

History has clearly shown that the right to free and anonymous speech is essential to maintaining a free society. That fact alone is sufficient motivation to do it. If you don't practice and enforce your rights, you are likely to lose them. Your attitude is exactly why this is true.

Anonymous free speech is a by-product of public free speech and is useless if the society doesn't allow public free speech from a known individual. The uncited source is useless if the government doesn't allow the brave individual to include their reference in a public, non-anonymous article. Without someone, anyone standing up to vouch for a story, publicly, anonymous free speech is easily dismissed, easily forgotten, easily covered up.

What good would the Deep Throat informant have done if Bob Woodward an

"Anonymous free speech is a by-product of public free speech and is useless if the society doesn't allow public free speech from a known individual."

I am quite sure that the authors of the "Federalist Papers" and "Antifederalist Papers" would very strongly disagree with you, Patrick Henry notwithstanding. Thomas Paine is probably a better example, and he was not exactly a friend of the existing government. But here is the most telling point: the very people who were writing the Federalist Papers were our Founding Fathers... they just did not dare do it publicly under their own names. To do so would have called unwanted and perhaps disastrous attention t

"Anonymous speech will do nothing to ensure a free society - you need to be prepared to stand up and be counted and not hide behind a fuzzy layer of anonymity... I agree with the OP... Why would you want to be anonymous?"

That's GP, not OP, but regardless:

I refuse to go over the last 300-400 years of history to illustrate why this is important. There are so many reasons... but rather than just blow you off (which am half-tempted to do), I will instead point you at the following article: https://www.eff.org/issues/anonymity [eff.org]

If you aren't satisfied with that, just google "anonymity 'supreme court'" and read what you find.

And by the way: if you don't think our founding fathers (who used anonymity to their benefit) were willing to stand up when it counted, then you don't know your history.

When, at the signing of the Declaration of Independence, John Hancock said that the revolutionaries must be unanimous and that "We must all hang together on this," Benjamin Franklin replied "We must indeed all hang together, or most assuredly, we shall all hang separately."

Pardon the multiple posts. That wasn't intended as an insult. What I meant was: the whole concept of "If you aren't doing anything wrong, you have nothing to fear" is the culprit. It is simply wrong. That idea has been disproven by history, many times over.

No problem, I wasn't insulted in any way. I stated the comment as a logical fallacy precisely because I knew, that this was going to be said, and that I also consider it the "correct" answer.

What my actual point tried to be, and what some people here already responded to, was that most of the people here using tor don't really have anything to hide and don't seem to have any use for Tor, yet they worry about these things and make their life more complicated for no apparent reason. I see that as paranoia get

I see. The results are interesting. I would count myself among the "principle" group. I have used Tor, but have also found it to be slow, which rather weakened my resolve to use it for principle alone. However, I still support it because something that may be inconvenient today may turn out to be the only possible avenue tomorrow. One never knows. You can call that paranoia if you like, but I prefer the term "preparedness".

And the assertions by some that "half" of the Tor exit nodes are monitored is ridi

In many parts of the world, basic civil freedoms are not possible without anonymous communications. Given events in North Africa, surveillance combined with brutal repression (see Bahrain, Syria, Yemen, Ivory Coast) is now an expected outcome of trying to organize political discourse in many places.

I use it to research anything questionable. I don't trust my ISP & espeically my government to not flag certain informative websites like erowid as "questionable behaviour", which may end up with me being further inconvenienced in the future, (roadside drug searches etc.). I'm not particularly concerned about being convicted based on my browsing habits, but i don't want to risk the extra attention with corruption being rampant in most police forces.

well, one thing is for searching stuff that might be illegal to even look information about in your country. because if someone gets to know that, they can try to blackmail you, you have to bribe them or officials or just end up in a chinese jail. and it's useful if you're in a sect and looking for a way out.

another reason is that it makes it harder to track who you are, say if you're looking to download something from a site you know to have an admin who looks at the logs about who's ip it is. this is part

Example: in most of Europe, it is illegal to express any doubt at all as to the historical truth of the Holocaust. I don't mean denial, but even questioning the number of victims, or how they were selected can get you sent to jail.

While I can't speak for the other users of Tor, I have found it extremely useful and even vital for computer security in the location I am now: Sudan.

Let me explain: I'm working for the UN, and have brought my own laptop. I'm buying "wireless broadband" from a local ISP, who is anything but broad... but thats a different matter. Since I like keeping my computer safe, I need to download the latest patches for Flash and Java and so on and so forth... which is where the problem arises. You see... the US is cur

TL;DR in my country, religious zealots and enforced morality codes forbid University students from accessing pornographic and other controversial materials even in their own dorm rooms. Can you guess which modernized first nation I live in?

I was trying out iMule and saw that it uses a network layer called i2p that supports any application that can run using a proxy. You might want to give it a try.i2p is available at http://www.i2p2.de/ [i2p2.de] Here's a description of i2p from the introduction:-----"I2P is a scalable, self organizing, resilient packet switched anonymous network layer, upon which any number of different anonymity or security conscious applications can operate. Each of these applications may make their own anonymity, latency, and throug

I can't believe no one has said anything about OperaTor yet. Mostly because it's the only one I was aware of before this articleIs it because OperaTor doesn't appear to be in development anymore (as in dead).